k8s-multicluster-ingress icon indicating copy to clipboard operation
k8s-multicluster-ingress copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

Supporting multiple TLS certs

Open kinghrothgar opened this issue 6 years ago • 8 comments

As far as I can tell, this does not support having multiple TLS certs. My coworker @fastest963 and I are willing to put some time in to add support for this. I see there is some discussion on this topic here https://github.com/kubernetes/ingress-gce/issues/46. Are there any known hurdles for this or any suggestions on getting started?

kinghrothgar avatar Jan 19 '18 21:01 kinghrothgar

Thanks for the issue and offering to help @kinghrothgar

Yes kubemci does not support multiple TLS certs and as pointed out in the issue you linked, neither does the ingress-gce controller. Going by the recent comments on that issue, it seems like it should now be possible to use multiple TLS certs but I havent tried it myself.

I will recommend trying it manually first and verifying that it works. Create a multicluster ingress using kubemci and then update the target proxy to include links to multiple certs.

Once we have verified that it works, we can update the code. Here is the relevant code that needs updating: https://github.com/GoogleCloudPlatform/k8s-multicluster-ingress/blob/dc1727b8ff165dab9a0909e4e3627aea6b6b2995/app/kubemci/pkg/gcp/targetproxy/targetproxysyncer.go#L290.

Eventually, we should add support to ingress-gce controller as well, and share more code with it. cc @bowei and @nicksardo as fyi

nikhiljindal avatar Jan 23 '18 03:01 nikhiljindal

@kinghrothgar Were you able to try it out?

Also is this issue blocking you? Wondering if you have been able to use kubemci without multiple TLS certs. Feel free to chime in on https://github.com/GoogleCloudPlatform/k8s-multicluster-ingress/issues/117.

nikhiljindal avatar Feb 07 '18 00:02 nikhiljindal

I don't believe this is blocking me as once I've set up the LB I believe I can go in and add more TLS certs to the LB without messing anything up. I have not tested this yet.

EDIT: We are still planning on working on this, I just have several weeks over other Kubernetes work to do before this is back on my sprint.

kinghrothgar avatar Feb 07 '18 17:02 kinghrothgar

I don't believe this is blocking me as once I've set up the LB I believe I can go in and add more TLS certs to the LB without messing anything up. I have not tested this yet.

Yes it should work fine as long as you dont run kubemci command again. Running kubemci create will overwrite the TLS certs.

nikhiljindal avatar Feb 07 '18 22:02 nikhiljindal

cc @prameshj who is adding support for this in ingress-gce: https://github.com/kubernetes/ingress-gce/pull/142.

We still need to work on adding support for that in kubemci

nikhiljindal avatar Mar 07 '18 18:03 nikhiljindal

It seems this is now support by ingress-gce but adding multiple tls certs doesnt seem to update the load balancer created by kubemci. Is this a known issue?

cdaguerre avatar Nov 28 '18 13:11 cdaguerre

I confirm multiple TLS certs doesn't work as-is with kubemci It can work by adding the TLS certificate manually.

ingress-gce does support multi-TLS, so we should improve kubemci. @nikhiljindal is it in the roadmap? could you be more specific about the kind of modification the code needs?

lfallet avatar Jan 03 '19 22:01 lfallet

I don't believe this is blocking me as once I've set up the LB I believe I can go in and add more TLS certs to the LB without messing anything up. I have not tested this yet.

Yes it should work fine as long as you dont run kubemci command again. Running kubemci create will overwrite the TLS certs.

Actually, I just tried today and the additional certificates seem to remain intact after remove-clusters and create -f.

Crazy-Hopper avatar May 29 '19 21:05 Crazy-Hopper